The following issues were found
Kernel/API/POSIX/sys/utsname.h
5 issues
Line: 18
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define UTSNAME_ENTRY_LEN 65
struct utsname {
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
Reported by FlawFinder.
Line: 19
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct utsname {
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
Reported by FlawFinder.
Line: 20
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct utsname {
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
#ifdef __cplusplus
Reported by FlawFinder.
Line: 21
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
#ifdef __cplusplus
}
Reported by FlawFinder.
Line: 22
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
#ifdef __cplusplus
}
#endif
Reported by FlawFinder.
Kernel/FileSystem/InodeWatcher.cpp
5 issues
Line: 54
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
auto result = buffer.write_buffered<MAXIMUM_EVENT_SIZE>(bytes_to_write, [&](u8* data, size_t data_bytes) {
size_t offset = 0;
memcpy(data + offset, &event.wd, sizeof(InodeWatcherEvent::watch_descriptor));
offset += sizeof(InodeWatcherEvent::watch_descriptor);
memcpy(data + offset, &event.type, sizeof(InodeWatcherEvent::type));
offset += sizeof(InodeWatcherEvent::type);
if (!event.path.is_null()) {
Reported by FlawFinder.
Line: 56
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data + offset, &event.wd, sizeof(InodeWatcherEvent::watch_descriptor));
offset += sizeof(InodeWatcherEvent::watch_descriptor);
memcpy(data + offset, &event.type, sizeof(InodeWatcherEvent::type));
offset += sizeof(InodeWatcherEvent::type);
if (!event.path.is_null()) {
memcpy(data + offset, &name_length, sizeof(InodeWatcherEvent::name_length));
offset += sizeof(InodeWatcherEvent::name_length);
Reported by FlawFinder.
Line: 60
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset += sizeof(InodeWatcherEvent::type);
if (!event.path.is_null()) {
memcpy(data + offset, &name_length, sizeof(InodeWatcherEvent::name_length));
offset += sizeof(InodeWatcherEvent::name_length);
memcpy(data + offset, event.path.characters(), name_length);
} else {
memset(data + offset, 0, sizeof(InodeWatcherEvent::name_length));
}
Reported by FlawFinder.
Line: 62
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!event.path.is_null()) {
memcpy(data + offset, &name_length, sizeof(InodeWatcherEvent::name_length));
offset += sizeof(InodeWatcherEvent::name_length);
memcpy(data + offset, event.path.characters(), name_length);
} else {
memset(data + offset, 0, sizeof(InodeWatcherEvent::name_length));
}
return data_bytes;
Reported by FlawFinder.
Line: 34
Column: 33
CWE codes:
120
20
return !m_queue.is_empty();
}
KResultOr<size_t> InodeWatcher::read(FileDescription&, u64, UserOrKernelBuffer& buffer, size_t buffer_size)
{
MutexLocker locker(m_lock);
if (m_queue.is_empty())
// can_read will catch the blocking case.
return EAGAIN;
Reported by FlawFinder.
Kernel/FileSystem/InodeFile.cpp
5 issues
Line: 125
Column: 20
CWE codes:
362
Suggestion:
Use fchown( ) instead
return KSuccess;
}
KResult InodeFile::chown(FileDescription& description, uid_t uid, gid_t gid)
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chown(*description.custody(), uid, gid);
}
Reported by FlawFinder.
Line: 129
Column: 37
CWE codes:
362
Suggestion:
Use fchown( ) instead
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chown(*description.custody(), uid, gid);
}
KResult InodeFile::chmod(FileDescription& description, mode_t mode)
{
VERIFY(description.inode() == m_inode);
Reported by FlawFinder.
Line: 132
Column: 20
CWE codes:
362
Suggestion:
Use fchmod( ) instead
return VirtualFileSystem::the().chown(*description.custody(), uid, gid);
}
KResult InodeFile::chmod(FileDescription& description, mode_t mode)
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chmod(*description.custody(), mode);
}
Reported by FlawFinder.
Line: 136
Column: 37
CWE codes:
362
Suggestion:
Use fchmod( ) instead
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chmod(*description.custody(), mode);
}
}
Reported by FlawFinder.
Line: 29
Column: 30
CWE codes:
120
20
{
}
KResultOr<size_t> InodeFile::read(FileDescription& description, u64 offset, UserOrKernelBuffer& buffer, size_t count)
{
if (Checked<off_t>::addition_would_overflow(offset, count))
return EOVERFLOW;
auto result = m_inode->read_bytes(offset, count, buffer, &description);
Reported by FlawFinder.
Userland/Libraries/LibPDF/Parser.cpp
5 issues
Line: 94
Column: 31
CWE codes:
120
20
return false;
m_reader.move_by(5);
char major_ver = m_reader.read();
if (major_ver != '1' && major_ver != '2')
return false;
if (m_reader.read() != '.')
return false;
Reported by FlawFinder.
Line: 97
Column: 18
CWE codes:
120
20
char major_ver = m_reader.read();
if (major_ver != '1' && major_ver != '2')
return false;
if (m_reader.read() != '.')
return false;
char minor_ver = m_reader.read();
if (minor_ver < '0' || minor_ver > '7')
return false;
Reported by FlawFinder.
Line: 100
Column: 31
CWE codes:
120
20
if (m_reader.read() != '.')
return false;
char minor_ver = m_reader.read();
if (minor_ver < '0' || minor_ver > '7')
return false;
consume_eol();
// Parse optional high-byte comment, which signifies a binary file
Reported by FlawFinder.
Line: 347
Column: 36
CWE codes:
120
20
if (!consume(' '))
return {};
auto letter = m_reader.read();
if (letter != 'n' && letter != 'f')
return {};
// The line ending sequence can be one of the following:
// SP CR, SP LF, or CR LF
Reported by FlawFinder.
Tests/Kernel/TestKernelFilePermissions.cpp
5 issues
Line: 21
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_contents)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
char buffer[8] {};
Reported by FlawFinder.
Line: 26
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
char buffer[8] {};
write(fd, buffer, sizeof(buffer));
struct stat s;
EXPECT(fstat(fd, &s) != -1);
close(fd);
Reported by FlawFinder.
Line: 41
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_ownership)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
fchown(fd, getuid(), getgid());
Reported by FlawFinder.
Line: 60
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_permissions)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
fchmod(fd, 0755);
Reported by FlawFinder.
Line: 79
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_location)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
auto suid_path = Core::File::read_link(String::formatted("/proc/{}/fd/{}", getpid(), fd));
Reported by FlawFinder.
Kernel/Process.cpp
5 issues
Line: 380
CWE codes:
570
g_signal_trampoline_region = MM.allocate_kernel_region(PAGE_SIZE, "Signal trampolines", Memory::Region::Access::ReadWrite).leak_ptr();
g_signal_trampoline_region->set_syscall_region(true);
size_t trampoline_size = asm_signal_trampoline_end - asm_signal_trampoline;
u8* code_ptr = (u8*)g_signal_trampoline_region->vaddr().as_ptr();
memcpy(code_ptr, asm_signal_trampoline, trampoline_size);
g_signal_trampoline_region->set_writable(false);
Reported by Cppcheck.
Line: 167
Column: 45
CWE codes:
362
return {};
}
auto& device_to_use_as_tty = tty ? (CharacterDevice&)*tty : NullDevice::the();
auto description = device_to_use_as_tty.open(O_RDWR).value();
auto setup_description = [&process, &description](int fd) {
process->m_fds.m_fds_metadatas[fd].allocate();
process->m_fds[fd].set(*description);
};
Reported by FlawFinder.
Line: 383
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t trampoline_size = asm_signal_trampoline_end - asm_signal_trampoline;
u8* code_ptr = (u8*)g_signal_trampoline_region->vaddr().as_ptr();
memcpy(code_ptr, asm_signal_trampoline, trampoline_size);
g_signal_trampoline_region->set_writable(false);
g_signal_trampoline_region->remap();
}
Reported by FlawFinder.
Line: 581
Column: 58
CWE codes:
362
// Try to generate a filename which isn't already used.
auto base_filename = String::formatted("{}_{}", name(), pid().value());
auto description_or_error = VirtualFileSystem::the().open(String::formatted("{}.profile", base_filename), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
for (size_t attempt = 1; attempt < 10 && description_or_error.is_error(); ++attempt)
description_or_error = VirtualFileSystem::the().open(String::formatted("{}.{}.profile", base_filename, attempt), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
if (description_or_error.is_error()) {
dbgln("Failed to generate perfcore for pid {}: Could not generate filename for the perfcore file.", pid().value());
return false;
Reported by FlawFinder.
Line: 583
Column: 57
CWE codes:
362
auto base_filename = String::formatted("{}_{}", name(), pid().value());
auto description_or_error = VirtualFileSystem::the().open(String::formatted("{}.profile", base_filename), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
for (size_t attempt = 1; attempt < 10 && description_or_error.is_error(); ++attempt)
description_or_error = VirtualFileSystem::the().open(String::formatted("{}.{}.profile", base_filename, attempt), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
if (description_or_error.is_error()) {
dbgln("Failed to generate perfcore for pid {}: Could not generate filename for the perfcore file.", pid().value());
return false;
}
Reported by FlawFinder.
Userland/Libraries/LibC/stat.cpp
5 issues
Line: 33
Column: 5
CWE codes:
362
Suggestion:
Use fchmod( ) instead
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int chmod(const char* pathname, mode_t mode)
{
if (!pathname) {
errno = EFAULT;
return -1;
}
Reported by FlawFinder.
Line: 18
Column: 8
CWE codes:
732
extern "C" {
mode_t umask(mode_t mask)
{
return syscall(SC_umask, mask);
}
int mkdir(const char* pathname, mode_t mode)
Reported by FlawFinder.
Line: 29
Column: 42
CWE codes:
126
errno = EFAULT;
return -1;
}
int rc = syscall(SC_mkdir, pathname, strlen(pathname), mode);
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int chmod(const char* pathname, mode_t mode)
{
Reported by FlawFinder.
Line: 39
Column: 42
CWE codes:
126
errno = EFAULT;
return -1;
}
int rc = syscall(SC_chmod, pathname, strlen(pathname), mode);
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int fchmod(int fd, mode_t mode)
{
Reported by FlawFinder.
Line: 60
Column: 53
CWE codes:
126
errno = EFAULT;
return -1;
}
Syscall::SC_stat_params params { dirfd, { path, strlen(path) }, statbuf, follow_symlinks };
int rc = syscall(SC_stat, ¶ms);
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int lstat(const char* path, struct stat* statbuf)
Reported by FlawFinder.
Userland/Libraries/LibLine/InternalFunctions.cpp
5 issues
Line: 564
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
if (pid == 0) {
execvp(editor_command, const_cast<char* const*>(args.data()));
perror("execv");
_exit(126);
} else {
int wstatus = 0;
do {
Reported by FlawFinder.
Line: 518
Column: 34
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
void Editor::edit_in_external_editor()
{
const auto* editor_command = getenv("EDITOR");
if (!editor_command)
editor_command = m_configuration.m_default_text_editor.characters();
char file_path[] = "/tmp/line-XXXXXX";
auto fd = mkstemp(file_path);
Reported by FlawFinder.
Line: 523
Column: 15
CWE codes:
377
editor_command = m_configuration.m_default_text_editor.characters();
char file_path[] = "/tmp/line-XXXXXX";
auto fd = mkstemp(file_path);
if (fd < 0) {
perror("mktemp");
return;
}
Reported by FlawFinder.
Line: 556
Column: 16
CWE codes:
362
Suggestion:
Use fork() instead
};
Vector<const char*> args { editor_command, file_path, nullptr };
auto pid = vfork();
if (pid == -1) {
perror("vfork");
return;
}
Reported by FlawFinder.
Line: 578
Column: 42
CWE codes:
362
}
{
auto file_or_error = Core::File::open(file_path, Core::OpenMode::ReadOnly);
if (file_or_error.is_error())
return;
auto file = file_or_error.release_value();
auto contents = file->read_all();
Reported by FlawFinder.
AK/Buffered.h
5 issues
Line: 52
Column: 12
CWE codes:
120
20
void set_recoverable_error() const override { return m_stream.set_recoverable_error(); }
void set_fatal_error() const override { return m_stream.set_fatal_error(); }
size_t read(Bytes bytes) override
{
if (has_any_error())
return 0;
auto nread = buffer().trim(m_buffered).copy_trimmed_to(bytes);
Reported by FlawFinder.
Line: 63
Column: 35
CWE codes:
120
20
buffer().slice(nread, m_buffered).copy_to(buffer());
if (nread < bytes.size()) {
m_buffered = m_stream.read(buffer());
if (m_buffered == 0)
return nread;
nread += read(bytes.slice(nread));
Reported by FlawFinder.
Meta/Lagom/Fuzzers/FuzzilliJs.cpp
5 issues
Line: 76
Column: 27
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
__edges_stop = stop;
// Map the shared memory region
const char* shm_key = getenv("SHM_ID");
if (!shm_key) {
puts("[COV] no shared memory bitmap available, skipping");
__shmem = (struct shmem_data*)malloc(SHM_SIZE);
} else {
int fd = shm_open(shm_key, O_RDWR, S_IREAD | S_IWRITE);
Reported by FlawFinder.
Line: 212
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data_buffer.size() < script_size)
data_buffer.resize(script_size - data_buffer.size());
VERIFY(data_buffer.size() >= script_size);
memcpy(data_buffer.data(), reprl_input, script_size);
int result = 0;
auto js = StringView(static_cast<const unsigned char*>(data_buffer.data()), script_size);
Reported by FlawFinder.
Line: 189
Column: 44
CWE codes:
120
20
char* reprl_input = nullptr;
char helo[] = "HELO";
if (write(REPRL_CWFD, helo, 4) != 4 || read(REPRL_CRFD, helo, 4) != 4) {
VERIFY_NOT_REACHED();
}
VERIFY(memcmp(helo, "HELO", 4) == 0);
reprl_input = (char*)mmap(0, REPRL_MAX_DATA_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED, REPRL_DRFD, 0);
Reported by FlawFinder.
Line: 202
Column: 16
CWE codes:
120
20
while (true) {
unsigned action;
VERIFY(read(REPRL_CRFD, &action, 4) == 4);
VERIFY(action == 'cexe');
size_t script_size;
VERIFY(read(REPRL_CRFD, &script_size, 8) == 8);
VERIFY(script_size < REPRL_MAX_DATA_SIZE);
Reported by FlawFinder.
Line: 206
Column: 16
CWE codes:
120
20
VERIFY(action == 'cexe');
size_t script_size;
VERIFY(read(REPRL_CRFD, &script_size, 8) == 8);
VERIFY(script_size < REPRL_MAX_DATA_SIZE);
ByteBuffer data_buffer;
if (data_buffer.size() < script_size)
data_buffer.resize(script_size - data_buffer.size());
VERIFY(data_buffer.size() >= script_size);
Reported by FlawFinder.